Getting certificates for postfix via/through caddy

marc · October 23, 2023, 2:09pm

1. The problem I’m having:

Been using caddy in a container as a reverse proxy for a few months now, and I couldn’t be happier. It’s terminating a bunch of other containers, doing the certificates and it couldn’t have been more straightforward to set up.

But I have a trickier setup in mind now. I want to move my mailserver (postfix and dovecot), and have a webmail behind caddy, all on the same server/fqdn. The webmail reverse proxy is obviously very straightforward, but I am wondering how to get lets encrypt certificates for postfix and dovecot.

I can see two approaches:

I could use the certificates caddy will generate anyway for the webmail. That would be convenient in that the certificates exist - but then postfix wants a full chain certificate, and I would have to source and concatenate all that together into one file palatable for postfix. I’ve not found a straightforward way to do so, and am a bit reluctant to let a cron job just wildly copying files together and restart my mail server - this will work long enough for me to forget the detail, and then it will fail gracelessly.
The other option would be to run a certbot to generate certificates separately from caddy’s. But then caddy would have to grant certbot access to a .well-known directory to leave its verification files, and caddy would have to exempt that directory from proxying (and I think, only serve it on port 80, not 443). I can’t claim any knowledge at all on caddy, so maybe I’ve just not searched with the right terms, but I’ve not really found a how-to or similar on this.

What’s the best way of getting my certificate, and is there a good tutorial or other resource you could point me to?

2. Error messages and/or full log output:

not setup anything yet, there's no error messages

3. Caddy version:

v2.7.5 h1:HoysvZkLcN2xJExEepaFHK92Qgs7xAiCFydN5x5Hs6Q=

4. How I installed and ran Caddy:

a. System environment:

podman version 4.3.1

b. Command:

podman run -d \
    --restart=unless-stopped \
    --name="caddy" \
    -p 80:80 \
    -p 443:443 \
    -p 443:443/udp \
    -v /opt/caddy/Caddyfile:/etc/caddy/Caddyfile \
    -v /opt/caddy/data:/data \
    docker.io/caddy:latest

d. My complete Caddy config:

mail.example.org {
        reverse_proxy 10.8.0.3:8080       
}

5. Links to relevant resources:

francislavoie · October 23, 2023, 3:15pm

Running Caddy in Docker does complicate this somewhat (because of isolation). But what we recommend is using events to hook into when Caddy issues and renews certificates for a domain. See Global options (Caddyfile) — Caddy Documentation

system · November 22, 2023, 3:16pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.